CVE-2025-66147 identifies a Missing Authorization vulnerability in the merkulove Coder for Elementor plugin, a tool used to extend the Elementor page builder in WordPress environments. The vulnerability arises from improperly configured access control security levels, which fail to enforce authorization checks on certain plugin functionalities. This misconfiguration allows attackers to perform unauthorized actions that should be restricted, potentially including modifying site content, injecting malicious code, or accessing sensitive data. The affected versions include all releases up to and including 1.0.13. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability was reserved in November 2025 and published in December 2025. The plugin is commonly used in WordPress sites to enhance design and coding capabilities, making this a significant concern for websites relying on it. The lack of authentication requirements for exploitation increases the risk, as attackers can leverage this flaw remotely without valid credentials. The vulnerability impacts the confidentiality and integrity of affected systems, with possible consequences including website defacement, data leakage, or further compromise through chained attacks.

For European organizations, this vulnerability could lead to unauthorized access and manipulation of website content, potentially damaging brand reputation and customer trust. Confidential information managed or displayed via affected WordPress sites could be exposed or altered. Attackers might exploit this flaw to inject malicious scripts, leading to further compromise such as credential theft or malware distribution. The availability of the website could also be impacted if attackers disrupt normal operations. Organizations in sectors such as e-commerce, media, and government that rely heavily on WordPress and the merkulove plugin are particularly at risk. The absence of authentication requirements for exploitation increases the threat level, as attackers can remotely exploit the vulnerability without prior access. This could facilitate widespread attacks targeting multiple organizations, especially those slow to apply patches or lacking robust access control policies.

1. Monitor merkulove and Elementor plugin vendor channels closely for official patches and apply them immediately upon release. 2. Until patches are available, restrict access to WordPress admin and plugin interfaces using network-level controls such as IP whitelisting or VPN access. 3. Review and harden access control configurations within WordPress and the plugin settings to ensure least privilege principles are enforced. 4. Implement Web Application Firewalls (WAF) with custom rules to detect and block suspicious requests targeting the vulnerable plugin endpoints. 5. Conduct regular security audits and penetration tests focusing on WordPress environments to identify and remediate access control weaknesses. 6. Educate site administrators about the risks of unauthorized access and encourage prompt reporting of anomalies. 7. Maintain comprehensive logging and monitoring to detect exploitation attempts early. 8. Consider isolating critical WordPress instances or using containerization to limit the blast radius of potential compromises.